Service Configuration Properties: Respond-server Configuration

Document created by RSA Information Design and Development Employee on Jan 31, 2020Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 2Show Document
  • View in full screen mode
 

MigrationProperties

                                   
NameDefault valueTypeDescription

rsa.migration.im-data-path

/opt/rsa/im

string

The location of the 10.x IM service

rsa.migration.max-retries

200

integer

Number of time respond attempts to run the migration in case unable to connect mongo or mongo is down.

rsa.migration.time-to-wait-between-retries

60

seconds

Frequency (in seconds) how often respond try to connect mongo

RespondPrimaryProperties

                             
NameDefault valueTypeDescription

rsa.primary.host

true

boolean

Determine whether the current respond service is running on the primary

rsa.primary.mode

 

respondprimaryproperties$scheduledjobsmode

Mode of current respond server

AlertRuleProperties

                                               
NameDefault valueTypeDescription

rsa.respond.alertrule.batch-size

1000

long

The number of alerts to be processed by rule in a batch

rsa.respond.alertrule.counter-reset-interval-days

7

integer

How often should rule counters be reset

rsa.respond.alertrule.enabled

true

boolean

Alert rules enabled

rsa.respond.alertrule.frequency

5

seconds

The frequency of the alert rule job

rsa.respond.alertrule.last-counter-reset-time

0

long

Timestamp for when the rule counters were reset

ArcherIntegrationProperties

                       
NameDefault valueTypeDescription

rsa.respond.archer.export.user-domain

 

string

Archer UserDomain, to be set only when LDAP is enabled on Archer

RespondCacheProperties

                             
NameDefault valueTypeDescription

rsa.respond.cache.user-cache-expiry

2

seconds

How often to query security server for the latest user information like their email

rsa.respond.cache.user-cache-size

1000

integer

Total size of the user cache

DataRetentionConfiguration

                                         
NameDefault valueTypeDescription

rsa.respond.dataretention.enabled

false

boolean

Is the data retention job enabled

rsa.respond.dataretention.execution-hour

0

integer

Hour at which to run the job

rsa.respond.dataretention.frequency

24

seconds

How often should the job to delete old alerts/incidents run

rsa.respond.dataretention.retention-period

90

seconds

How long should alerts/incidents be stored

IndicatorAggregationJobConfig

                                         
NameDefault valueTypeDescription

rsa.respond.indicatoraggregationrule.schedule-delay

0

long

Delay and frequency of indicator aggregation jobs

rsa.respond.indicatoraggregationrule.schedule-rate

5000

long

 

rsa.respond.indicatoraggregationrule.seek-ahead-days

0

integer

How many days ahead should indicator aggregation go from incident window close time.

rsa.respond.indicatoraggregationrule.seek-back-days

1

integer

How many days back should indicator aggregation go from first alert received time when aggregating indicators

IntegrationExportProperties

                                                     
NameDefault valueTypeDescription

rsa.respond.integration.export.archer-exchange-name

incidents.archer

string

 

rsa.respond.integration.export.archer-sec-ops-integration-enabled

false

boolean

 

rsa.respond.integration.export.breach-integration-enabled

false

boolean

 

rsa.respond.integration.export.escalation-settings

 

map

 

rsa.respond.integration.export.export-incident-enabled

true

boolean

 

rsa.respond.integration.export.help-desk-integration-enabled

false

boolean

 

NormalizationProperties

                                                                       
NameDefault valueTypeDescription

rsa.respond.normalization.alerts-queued

100

integer

The number of alerts to queue from rabbit before waiting to consume further The more you increase it, the higher chance of losing alerts if respond goes down during normalization

rsa.respond.normalization.custom-script-filename

custom_normalize_alerts.js

string

The name of the main custom JavaScript file used to normalize alerts.

rsa.respond.normalization.indicator-normalization-enabled

true

boolean

Determines whether the legacy and indicator bindings should be created or not

rsa.respond.normalization.max-legacy-consumers

10

integer

The maximum number of consumers that can consume from the legacy alerting exchange.

rsa.respond.normalization.script-directory

scripts

string

The name of the directory, relative to the service home directory, that contains the normalization JavaScript files.

rsa.respond.normalization.script-filename

normalize_alerts.js

string

The name of the main JavaScript file used to normalize alerts.

rsa.respond.normalization.shutdown-timeout

30

seconds

The maximum amount of time to wait to finish processing alerts that have been received before shutting down the service.

rsa.respond.normalization.thread-count

4

integer

The number of threads to use to normalize and persist alerts.

rsa.respond.normalization.transient-indicator-normalization-enabled

true

boolean

Determines whether the low priority transient alerts binding should be created or not

QueryProperties

                                   
NameDefault valueTypeDescription

rsa.respond.query.default-batch-size

100

long

Default chunk/batch size to send a stream of items to the client (client may override)

rsa.respond.query.default-query-limit

1000

long

Default number of items to send to the client in response to a single request (client may override)

rsa.respond.query.max-query-limit

5000

long

Max number of items to send to the client in response to a single request

RiskProcessingProperties

                                                                             
NameDefault valueTypeDescription

rsa.respond.risk.alert.processing.concurrent-processors

4

integer

Concurrent number of staging that should be done.

rsa.respond.risk.alert.processing.context-limit

1000

integer

Maximum number of alert contexts per rule in a category

rsa.respond.risk.alert.processing.default-files

cmd.exe, powershell.exe, wscript.exe, cscript.exe, rundll32.exe

string

Name of files those are considered to be default OS provided files

rsa.respond.risk.alert.processing.page-size

100

integer

Page size for query while querying for persisted alerts

rsa.respond.risk.alert.processing.persisted-collection-interval

30

seconds

Interval at which alert collection should be queried for persisted alerts

rsa.respond.risk.alert.processing.staging-cleanup-interval

5

seconds

Cleanup interval for processed AlertRule from staging collection

rsa.respond.risk.alert.processing.staging-fetch-size

5000

integer

Number of AlertRule to be fetched from staging in a single request

rsa.respond.risk.alert.processing.staging-work-interval

10

seconds

Frequency (in seconds) how often staged entries need to fetched for processing

rsa.respond.risk.alert.processing.track-file-name-change

false

boolean

Over time file-name might change for a hash, should that changes be tracked and latest name should be saved

rsa.respond.risk.alert.processing.track-host-name-change

true

boolean

Over time host-name might change for a host, should that changes be tracked and latest name should be saved

RiskCachingProperties

                                         
NameDefault valueTypeDescription

rsa.respond.risk.caching.expiration-time

60

seconds

Time (in minutes) since last access of entry post which it will expire from cache.

rsa.respond.risk.caching.grouped-cache-expiration-time

5

seconds

Time (in minutes) since last access of entry post which it will expire from grouped cache

rsa.respond.risk.caching.grouped-cache-size

10000

integer

Max number of entries to be stored in the grouped cache

rsa.respond.risk.caching.size

500000

integer

Size of entries to be stored in cache

RiskRetentionProperties

                                   
NameDefault valueTypeDescription

rsa.respond.risk.data.retention.frequency

1

seconds

Frequency to run the retention job

rsa.respond.risk.data.retention.retention-period

30

seconds

The retention threshold specified (in days)

rsa.respond.risk.data.retention.roll-up-to-day

false

boolean

Controls if the rollup-time needs to be calculate from start of the day when the task is executed.

RespondScheduledJobsProperties

                                   
NameDefault valueTypeDescription

rsa.respond.scheduled.jobs.aggregation-job-enabled

true

boolean

Determine whether the aggregation job enabled/disabled

rsa.respond.scheduled.jobs.data-retention-job-enabled

true

boolean

Determine whether the data retention job enabled/disabled

rsa.respond.scheduled.jobs.risk-scoring-enabled

true

boolean

Determine whether the risk scoring functionality enabled/disabled

SecurIdIntegrationProperties

                                                           
NameDefault valueTypeDescription

rsa.respond.securid.alert-page-size

100

integer

Alerts are fetched from incidents pagewise. This property controls the maximum number of alerts to be fetched per page

rsa.respond.securid.alert-scan-json-paths

$.events[*]..

list

List of JSONPaths to scan the given userMetas in an alert. By default, it has just one JSONPath enough to read all direct occurrences of the given userMeta values from source and destination metas in all events in an alert.

rsa.respond.securid.incident-processing-threads

3

integer

Number of threads to process the incident update events

rsa.respond.securid.max-incident-queue-size

100

integer

Maximum size of the queue used to hold the incident change events for processing.

rsa.respond.securid.secur-id-list-update-task-interval

15 minutes

seconds

Interval of the periodic task which updates the high-risk users' list in the SecurId cloud

rsa.respond.securid.secur-id-request-batch-size

100

integer

Maximum number of users to be sent in a single request to SecurId cloud.

rsa.respond.securid.user-meta

email_address

string

The "respond specific" meta in an alert that identifies the user to be added to SecurID high-risk users' list Defaults to email_address

You are here
Table of Contents > Respond-server Configuration

Attachments

    Outcomes